Share this story

Hackers working for the Russian government have been using printers, video decoders, and other so-called Internet-of-things devices as a beachhead to penetrate targeted computer networks, Microsoft officials warned on Monday.

“These devices became points of ingress from which the actor established a presence on the network and continued looking for further access,” officials with the Microsoft Threat Intelligence Center wrote in a post. “Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data.”

The officials continued:

After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.

Microsoft researchers discovered the attacks in April, when a voice-over-IP phone, an office printer, and a video decoder in multiple customer locations were communicating with servers belonging to “Strontium,” a Russian government hacking group better known as Fancy Bear or APT28. In two cases, the passwords for the devices were the easily guessable default ones they shipped with. In the third instance, the device was running an old firmware version with a known vulnerability. While Microsoft officials concluded that Strontium was behind the attacks, they said they weren’t able to determine what the group’s ultimate objectives were.

Fancy Bear was one of two Russian-sponsored groups that hacked the Democratic National Committee ahead of the 2016 presidential election. Strontium has also been linked to intrusions into the World Anti-Doping Agency in 2016, the German Bundestag, and France’s TV5Monde TV station, among many others. Last month, Microsoft said it had notified almost 10,000 customers in the past year that they were being targeted by nation-sponsored hackers. Strontium was one of the hacker groups Microsoft named.

Microsoft has notified the makers of the targeted devices so they can explore the possibility of adding new protections. Monday’s report also provided IP addresses and scripts organizations can use to detect if they have also been targeted or infected. Beyond that, Monday’s report reminded people that, despite Strontium's above-average hacking abilities, an IoT device is often all it needs to gain access to a targeted network.

“While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives,” the report noted. “These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments.”

These devices need to be either DMZ'd or firewalled entirely until the industry gets off their ass and starts treating them like the actual endpoints they are. So far, VoIP phones, IP cameras, and the like have been treated very differently.

Can we stop pretending that Russia and Putin aren't waging war on the United States? Our President may be in their pocket but they struck at the heart of our democracy with their attack on the 2016 election. This latest just shows Russia is still at it and is still our enemy. The only thing most of us can do about it is to vote out of office any politician that supports Russia directly such as McConnell and Trump, or indirectly by voting in lock-step with them. Throw the bums out!

It makes me wonder if the US is offensively hacking Russia too and we just aren’t hearing about it, or if we are letting Russia just raw dog our infrastructure unscathed. Either scenario seems equally likely in 2019.

It makes me wonder if the US is offensively hacking Russia too and we just aren’t hearing about it, or if we are letting Russia just raw dog our infrastructure unscathed. Either scenario seems equally likely in 2019.

If we aren't trying then our agencies aren't doing their job. They spy,we spy, everybody spies on everybody. And the world turns.

Few question, if I may ...#1. You put come code example ... what is this?What this code [actually] do?Who wrote it?How do you get it?What is the reason of show it? #2. You wrote: "Microsoft catches Russian state hackers using IoT devices to breach networks"a. Microsoft == company, legal entity, it is NOT a person, it can NOT "Catch" b. "Russian state hackers" .. Are YOU shore?I mean, you "Dan" ? How do you know that?With whom did you talk?Do you trust them? Are they are trusted? or ... it is some kind of political twist?American Government [as you suppose to know] (and yes! .. as many other different Governments in the Wold) lied and twist many times before [proved and Historical Fact(s)] ... so, WHAT is convince you, Dan, that THIS info is a correct one?!Do you have some solid facts? or ..Do you spread rumors? Thanks-Vladimir Orlovsky

It's past time to sever all of Russia's, and Russian proxies' internet connections.

Sorry, Donny.

I'd also include much of Eastern Europe, and just about all of the Middle East, China, North Korea and (maybe) Taiwan (depending on which way the governmental winds are blowing).

Diplomatic pouches worked before. They can work again. We can't deal with openness on the Internet if it's going to be CONSTANTLY exploited by bad nation/state actors like it is today.

Cut all Internet ties with those places, and the vast majority of command and control connections would be lost forever.

I wonder if those places would even see this as a net-negative or a net-positive. For example, China's Great Firewall effort is only necessary because we're so damn talkative. If both sides (for their own reasons) chose to sever that connection, much of China's problem would go away. They'd lose a weapon, but they'd also lose a threat.

Also, this blows. "Let everybody talk to everybody for free instantly" sounded like such an obviously great aspiration in the heady days of the 1990s.

It's past time to sever all of Russia's, and Russian proxies' internet connections.

Sorry, Donny.

I'd also include much of Eastern Europe, and just about all of the Middle East, China, North Korea and (maybe) Taiwan (depending on which way the governmental winds are blowing).

Your list is surprisingly similar to that I've told Cloudflare to deny traffic to our site from.

Ours is a nonprofit voter protection service that monitors North Carolina voters' registration records (for free), on the lookout for unauthorized changes or being purged from the pollbook, in a manner rather similar to credit report monitoring. Proved to be something of a honeypot for Russian, Eastern European, Asian, and Middle Eastern ne'er-do-wells. We needed that traffic like we need another hole in the head.

That said, I know perfectly well that they can just VPN around our blockade. But most don't seem to. The frequency of attempted SQL injections and other shenanigans dropped dramatically.

(This commentator has made less than a hundred comments in over a decade. That's... carry the one... less than ten per year. Who wants to bet they'll match or double that average in this comment section alone?)

It makes me wonder if the US is offensively hacking Russia too and we just aren’t hearing about it, or if we are letting Russia just raw dog our infrastructure unscathed. Either scenario seems equally likely in 2019.

These devices need to be either DMZ'd or firewalled entirely until the industry gets off their ass and starts treating them like the actual endpoints they are. So far, VoIP phones, IP cameras, and the like have been treated very differently.

Air gapped.

Only the latest builds, with the latest security update, of mainstream OSs, should be on the internet. And even that could have a zero day exploit someone out there is sitting on to use at an opportune moment.

Software even a few months out of date is insecure.

Software years old, running in a box with no UI, connected to the Internet, that's sheer madness. But that's IoT.

It makes me wonder if the US is offensively hacking Russia too and we just aren’t hearing about it, or if we are letting Russia just raw dog our infrastructure unscathed. Either scenario seems equally likely in 2019.

Of course they are, and to be quite honest I do not believe a dam thing Microsoft or the US govt says.

(This commentator has made less than a hundred comments in over a decade. That's... carry the one... less than ten per year. Who wants to bet they'll match or double that average in this comment section alone?)

Who cares! What kind of looser are you if you can't address even one single point of his.All you did there was come on here ad hom attack him and go, really pathetic. Grow up.

(This commentator has made less than a hundred comments in over a decade. That's... carry the one... less than ten per year. Who wants to bet they'll match or double that average in this comment section alone?)

Who cares! What kind of looser are you if you can't address even one single point of his.All you did there was come on here ad hom attack him and go, really pathetic. Grow up.

Well why thank you so very much for taking a few moments to try and raise some hilarity in your thinly veiled nazi grammar post. Indeed, pitter patter, your exception is the rule, I've been listing to a lot of folk from a small town in Ontario for the last while. Please let that marinate for a while before you reply.

Stupid question du jour:What is a "video decoder" device in the context of how it's mentioned in the Microsoft post? Is this just another name for a network video recorder (NVR)? Something in an auditorium or conference room A/V rack?

Yet another excellent article I can use to show folks why, despite being "a techie" or whatever other term you want to use, I have absolutely no IoT devices in my home. They're simply too difficult to keep secure for the tiny benefit they offer. Funnily enough, a lot of folks have advised me to "come to the future with them". It'll be fun to cite this article as a reason why they ought to come to my preferred future instead.